Thresholding Alerts

Problem

Noisy logs are the bane of every administrator's existence! How do you reduce the size of your haystack to help find that all-important needle?

Solution

Use the threshold keyword:

threshold: type , track , count , seconds ;

 

Discussion

Thresholding is a useful way of thinning down your logs. It also allows you to monitor for other unusual behavior. If you suddenly see a lot of NFS errorsas opposed to one or two every minuteyou certainly have a problem, but you won't want to be alerted for every single NFS error.

To alert the first n times that an event happens during a time interval, use limit. To alert every nth occurrence during the time interval, use threshold.

There is also the combination type of both, which alerts once after n instances of the event.

The track keyword is used to monitor traffic either by source IP address or destination IP address. It provides a method for grouping events to enable thresholding. Tracking is done either by source or destination IP address only; there is no tracking done on ports or any other criteria. The count is the number of events for the tHReshold and both types, and the number of alerts for the limit type. The seconds option sets the time during which the events should be counted, and, funnily enough, is in seconds.

So to set the threshold of an alert on every ten occurrences of a rule within a five second period from the source for the rule, use the following:

threshold: type threshold, track by_src, count 10, seconds 5;

 

See Also

Snort User Manual

Recipe 2.25

Excluding from Logging

Категории